Because of sudo restrictions in my environment, I need to use a different executable for a single task. If I include executable: in the shell module, it seems to be ignored. But if I set executable: in ansible.cfg, it is honored.
#> cat sudo.yml
---
- hosts: localhost
gather_facts: no
tasks:
- name: test
shell: /home/oracle/rowagn.sh
changed_when: false
args:
executable: /etc/ansible-wrapper
delegate_to: "vspoem04.vsp.sas.com"
become: yes
become_user: oracle
Running the above with -vvv show the problem. Here’s the relevant output:
<vspoem04.vsp.sas.com> SSH: EXEC ssh -C -o ControlMaster=no -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=1000 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=20 vspoem04.vsp.sas.com '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=qfuuuthiowaoyrfzswwxnoutxmrrbzdn] password:" -u oracle /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-qfuuuthiowaoyrfzswwxnoutxmrrbzdn ; /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''
but if I add executable: /etc/ansible-wrapper to ansible.cfg and run it:
<vspoem04.vsp.sas.com> SSH: EXEC ssh -C -o ControlMaster=no -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=1000 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=20 vspoem04.vsp.sas.com '/etc/ansible-wrapper -c '"'"'sudo -H -S -p "[sudo via ansible, key=scxpgodaimxpktbshaidfkbmbppdalxd] password:" -u oracle /etc/ansible-wrapper -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-scxpgodaimxpktbshaidfkbmbppdalxd ; /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
How can I get shell to honor executable?
Thanks
Rob